The French data protection watchdog CNIL has issued a fine of 50MEURO to Google LLC for several breaches of GDPR, the General Data Protection Regulation, for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.
Considering that the maximum fines under GDPR are 20MEURO or 4% of annual turnover on group level, the fine issued towards Google must be considered low.
Alphabet Inc, the owner of Google LLC, have an annual turnover of $110 Billion in 2017, giving a theoretical maximum fine of $4,4 Billion. This means that the issued fine only constitutes 1% of the theoretical maximum.
Also noteworthy is that the fine is issued to Google LLC, a company in Delaware, USA, not to any of Googles European subsidiaries. CNIL is here enforcing one of the general principles of GDPR, saying that the regulation affects anyone processing personal data belonging to an EU-citizen making GDPR a global legislation, affecting any company potentially being in contact with a EU-citizen.
Looking on the material breaches identified by CNIL, Google have made two principle mistakes with regards to GDPR.
A violation of the obligation to have a legal basis
Firstly, the information of the consent is not easily accessible for the user and also that the information in itself is not clear. Google claims it has gathered consent from its users, and are leaning on that legal basis for processing the personal data, but as the consent is neither “specific” nor “unambiguous”, CNIL concludes that the legal basis “consent” cannot be used, and Google are therefore unlawfully processing personal data of EU citizens.
Secondly, the boxes for consent are hidden under a menu, and pre-ticked. This constitutes opt-out, instead of the opt-in demanded by GDPR
In its statement CNIL also concludes that the impacts of the operating system Android is huge on the French market. This might be interpreted as the issued fine only concerns violations towards French citizens, which in itself opens up for more fines being issued by other nations within the EU.
For instance, The Swedish Data Protection Authority has recently started a case looking at Google.
One thing is for sure though. GDPR is here to stay, and 2019 will be filled with stories like this.
Companies makes best in overlooking both their consent gathering, but more importantly, they must know where personal data resides, and make sure they have documented the correct legal basis for processing it.